Further Reading

Authentication and Authorization

Controlling Access Using OAuth

You can use API access control via authentication and authorization for securing
your container platform. The OpenShift Container Platform master includes a built-in OAuth
server. Users can obtain OAuth access tokens to authenticate themselves to the
API.

As an administrator, you can configure OAuth to authenticate using an identity
provider, such as LDAP, GitHub, or Google. The
Deny All
identity provider is used by default for new OpenShift Container Platform deployments, but
you can configure this at initial installation time or post-installation. See
Configuring authentication and user agent for a full list of identity providers.

For example, to configure the GitHub identity provider post-installation:

API Access Control and Management

Applications can have multiple, independent API services which have different
endpoints that require management. OpenShift Container Platform includes a containerized
version of the 3scale API gateway so that you can manage your APIs and control
access.

3scale gives you a variety of standard options for API authentication and
security, which can be used alone or in combination to issue credentials and
control access: Standard API keys, Application ID and key pair, and OAuth 2.0.

You can restrict access to specific end points, methods, and services and apply
access policy for groups of users. Application plans allow you to set rate
limits for API usage and control traffic flow for groups of developers.

Secure Self-service Web Console

OpenShift Container Platform provides a self-service web console to ensure that teams do not
access other environments without authorization. OpenShift Container Platform ensures a
secure multi-tenant master by providing the following:

Further Reading

Managing Certificates for the Platform

OpenShift Container Platform has multiple components within its framework that use REST-based
HTTPS communication leveraging encryption via TLS certificates.
OpenShift Container Platform’s Ansible-based installer configures these certificates during
installation. There are some primary components that generate this traffic:

masters (API server and controllers)

etcd

nodes

registry

router

Configuring Custom Certificates

You can configure custom serving certificates for the public host names of the
API server and web console during initial installation or when redeploying
certificates. You can also use a custom CA.

During initial advanced installations using Ansible playbooks, custom
certificates can be configured using the
openshift_master_overwrite_named_certificates Ansible variable, which is
configurable in the inventory file. For example:

The installer provides Ansible playbooks for checking on the expiration dates of
all cluster certificates. Additional playbooks can automatically redeploy all
certificates at once using the current CA, redeploy specific certificates only,
or redeploy a newly generated or custom CA on its own. See
Redeploying Certificates for more on these playbooks.